How to renew self signed certifcate for Exchange?

Event ID 12018 and 12017

If you are getting the following errors in your Event Logs, then this means you have to renew your Exchange certicates.
When Exchange is first installed, the certifcates that are created only last for one year. You will need to renew
the certicates after that. Newly self signed certifcate will last another year before it needs to be renew again. If SP2 for Exchange 2007 is installed, then the self-signed certificate will last for 5 years.

Even though with these two Event IDs keep showing up on your Event Logs, Exchange will still work.

How to renew self signed certifcate for Exchange?

1. Start the “Exchange Management Shell” from the server that is giving this error.
2. Type “Get-ExchangeCertificate | fl” to check what kind of certicates are installed on the server.
3. If it is self signed, then the “IsSelfSigned” should be “True”.

E.g.

[PS] C:\Windows\System32>Get-ExchangeCertificate | fl

AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule, System.Securi
ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
ssControl.CryptoKeyAccessRule}
CertificateDomains : {cas01, cas01.domainname}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=cas01

NotAfter : 11/6/2010 5:14:51 PM
NotBefore : 11/6/2009 4:14:51 PM
PublicKeySize : 2048
RootCAType : None
SerialNumber : 0GDDD89A4D1629E4C5936792830552B
Services : IIS, SMTP
Status : Valid
Subject : CN=cas01
Thumbprint : H5442F38270D5154AC2GDDTF8FC357DE9A7FDA65

*Here you see that the “Issuer” is from “cas01″ which is the name of the server. Meaning that it is self signed cert.
Otherwise, if the certicate is from a third party, e.g. Verisign, then you will see something else on here.

4. To renew the certificate, you will need to type in the following command:

Get-ExchangeCertificate -ThumbPrint [old thumbprint value] | New-ExchangeCertificate

e.g.

Get-ExchangeCertificate -ThumbPrint H5442F38270D5154AC2GDDTF8FC357DE9A7FDA65 | New-ExchangeCertificate

5. Press “Y”, to Overwrite existing default SMTP certificate.

6. Type “Get-ExchangeCertificate | fl” to get the list of certs again. You will notice that your old cert is still there and that the “IIS” service is still assigned to it.
For some reason, the New-ExchangeCertificate command doesn’t switch over the “IIS” service to the new cert. This need to be done manually.

7. Type “Enable-ExchangeCertificate -Thumbprint [new thumbprint value] -Services IIS”

e.g.

Enable-ExchangeCertificate -Thumbprint GDDTF8FC357DE9A7FDA65H5442F38270D5154AC2 -Services IIS

8. Review the certificate by entering in the “Get-ExchangeCertificate | fl”

9. Test all services that are assigned to the certificate

10. Remove the old certifcate with the following command

Remove-ExchangeCertificate -ThumbPrint [old thumbprint value]

Both Event IDs 12018 and 12017 should be gone now.

How to renew third party Exchange Certificates?

You will use the same “New-ExchangeCertificate” command, but with different parameters. Read the article from the Microsoft site (article) for the parameter settings.